ATP HI Script for machine isolation

I need a solution

Hi Guys,

We have recently purchased ATP and are in the middle of configuring it alongside our SEP 12.1.8 environment. One of the features with ATP is the ability to isolate and quarantine a machine if it shows up as infected. This hasn’t worked to date and a bit of research shows it needs to be linked to a HI script and a Quarantine firewall policy. The Firewall policy and the link to the OU policy we believe are set up correctly.

Where i am having an issue is generating the script that comes inside the HI policy. There is no pre defined script created by SEP. The only option i see is to create a custom script with the “if, Then” script and select “Antivirus: Check not infected”. However, with this there is no option under the “If” to state if infected take action A if not infected take action B.

Perhaps someone has already configured this link between ATP and SEP who could share the HI policy or let me know the steps to take here.

https://support.symantec.com/en_US/article.HOWTO125535.html – this is the article i am working off at the moment. 

Joe

0

Related:

Is Doscan support ERRORLEVEL for virus scan using command prompt?

I need a solution

I am trying to scan a file using command prompt and want to get the scan result using error level. But each time getting ERRORLEVEL 0, even in case of file with virus after scan. 

Version: Symantec Endpoint Protection Manager (14.1)

OS: Windows 10 operating system

I am using the below command in cmd:

>DoScan.exe /ScanFile “D:Personalfifa.txt”

>echo “%ERRORLEVEL%”

“0”

For each case  its returning 0 as errorLevel. i.e a virus file  scaned with Doscan.exe returning ERRORLEVEL 0 

Is there any process to get proper ERRORLEVEL ? If not, is Symantec endpoint Protection Manager 14.1 support ERRORLEVEL for scan using command prompt.

0

Related:

Built in Web Audit Report, search for multiple Destination URL’s

I need a solution

Hi, I’m trying to use the Web Audit report to seach for multiple url’s. The advanced settings of the report does have a field called “Destination URL’s” so I’m assuming that I can have more than one. My problem is I can’t work out the required syntax nor can i find anything online to help.

Anyone out there able to help me with this?

Thnaks for reading,

John

0

Related:

SEP blocks safe removal of external disks (AHCI or USB)

I need a solution

Hi,
I have a problem: whenever I issue a safe remove command, System starts to access SYMEFA*.DB and SYMEFA*.DB-journal from <disk>:System Volume InformationEfaSIDat, that blocks the save remove process.
I used resource monitor to identify the files causing the problem. I noticed that they are not accessed unless a safe remove is issued!
There is another forum discussion that states that upgrading from 12.4 fixes the problem. I upgraded to 12.6 then to 14.0 RU1 and the problem is still there.
OS: Windows Server 2012 R2 Datacenter
 

0

Related:

Summarize all solution plugin license status

I need a solution

I’m only manage to create an individual solution report using 

DECLARE @Product AS NVARCHAR (200)
–Enter the guid of the solution or its name.  
–If it is only part of the guid or name make sure to use % symbals as needed. 
SET @Product = ‘Altiris Patch Management Solution’

SELECT vp.Name, vc.Name, vc.Domain, liu.* 
FROM LicenseInUse liu
JOIN vProduct vp ON vp.Guid = liu.LicensingPolicyGuid
JOIN vComputer vc ON vc.Guid = liu.ResourceGuid
WHERE vp.Name LIKE @Product OR vp.Guid LIKE @Product
ORDER BY vp.Name, vc.Name

but how can i create a SQL report like table below

Name OSName Inventory Solution Patch Management Solution Software Management Solution
Computer1 Windows 7 Yes Yes Yes
Computer2 Windows 7 Yes Yes Yes
Computer3 Windows 7 Yes Yes Yes
Computer4 Windows Server 2008 Yes No No
Computer5 Mac OS X Yes No No
Computer6 Windows 7 Yes Yes Yes
Computer7 Windows 7 Yes Yes Yes
0

1509329251

Related:

Saving external storage incident attachments & increasing visible incident characters

I need a solution

All,

I’ve been poring through the documentation here and am beginning to think I’m crazy.  The attachments are not being saved for external storage incidents, however they are being saved for endpoint prevent SMTP incidents.  I looked into the response rule, and they “Limit Data Retention” option is in there, with a check next to “retain original message” and with it set to not discard attachments on network incidents.  From what I’ve read, it should be able to retain these attachments….can anybody help me on this one on what I may be missing?

Also, is there a setting to where more characters can be included before and after the matches that are highlight on the incident page?  Sometimes with the scant number of words we are getting now before and after the keywords we are looking for, it’s kind of hard to get the context.  I’m  guessing it’s a setting somewhere but I just cannot seem to find it.

Thank you so much for any help!

0

Related: